[Xgrid] Sandbox & Task Permission Issues in Leopard

We have had a series of "permission denied" questions lately related
to Xgrid's new security model in Leopard, so I wanted to provide some
background.

In Leopard, for better security Xgrid now runs tasks using the new
"sandbox" facility in Mac OS X 10.5 (more details below). The simple
explanation is that on Leopard, tasks running as 'nobody' (ie, any
task where either the submitting client or the receiving agent are NOT
using Kerberos authentication) have very restricted access to the
filesystem. The details are specified here:

The optimal solution is to instead use Kerberos authentication for
everything. That way, tasks instead run using:

/usr/share/sandbox/xgridagentd_task_somebody.sb

(allow process* sysctl* mach* file-read* file-write* network*)

I realize that this may not always be viable, but in that case you are
pretty much on your own. In theory it is possible to edit (or
replace) the task_nobody file so "nobody" processes have similar
permissions as those in "task_somebody", e.g:

(allow file-read* file-write* (regex "^/all(/|$)"))

However, note that this makes the system more vulnerable to rogue
Xgrid jobs, so if you attempt this it is imperative you have other
controls in place to safeguard your cluster.

In addition, any changes you make to system-provided files like /usr/
share/sandbox/xgridagentd* may well break or be replaced by a future
update. You have been warned!

Sandbox tested.
Sometimes hackers try to hijack an application to run malicious
code. Sandboxing helps ensure that applications do only what
they’re intended to by restricting which files they can access,
whether they can talk to the network, and whether they can be used
to launch other applications. Helper applications in Leopard —
including the software that enables Bonjour and the Spotlight
indexer — are sandboxed to guard against attackers.

In the case of the new sandboxing facility in Leopard, mandatory
access controls
restrict access to system resources as determined by a special
sandboxing proﬁ le
that is provided for each sandboxed application. This means that
even processes
running as root can have extremely limited access to system resources.

...Sandboxing helps ensure that applications do only what they’re
intended to do by
placing controls on applications that restrict what ﬁ les they can
access, whether they
can talk to the network, and whether they can be used to launch
other applications.
In Leopard, many of the system’s helper applications that normally
communicate
with the network—such as mDNSResponder (the software underlying
Bonjour) and
the Kerberos KDC—are sandboxed to guard them from abuse by
attackers trying to
access the system. In addition, other programs that routinely take
untrusted input (for
instance, arbitrary ﬁ les or network connections) such as Xgrid and
the Quick Look and
Spotlight background daemons are sandboxed.

Sandboxing in Leopard is based on the system’s mandatory access
controls mecha-
nism, which is implemented at the kernel level. Sandboxing proﬁ les
are developed
for each application that runs in a sandbox, describing precisely
which resources are
accessible to the application.

ernest$ man -k sandbox
ernest$ man sandbox

The sandbox facility allows applications to voluntarily
restrict their
access to operating system resources. This safety mechanism is
intended
to limit potential damage in the event that a vulnerability is
exploited.
It is not a replacement for other operating system access
controls.

New processes inherit the sandbox of their parent.
Restrictions are gen-
erally enforced upon acquisition of operating system resources
only. For
example, if file system writes are restricted, an application
will not be
able to open(2) a file for writing. However, if the
application already
has a file descriptor opened for writing, it may use that file
descriptor
regardless of restrictions.

_______________________________________________
Do not post admin requests to the list. They will be ignored.
Xgrid-users mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden